Syslog solution for Sentinel

Solution: Syslog

Syslog Logo

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Attribute	Value
Publisher	Microsoft Corporation
Support Tier	Microsoft
Support Link	https://support.microsoft.com
Categories	domains
Version	3.0.6
Author	Microsoft - support@microsoft.com
First Published	2022-05-23
Solution Folder	Syslog
Marketplace	Azure Marketplace · Popularity: 🟢 High (92%)

The Syslog solution allows you to ingest events from applications or appliances that generate and can forward logs in the Syslog format to a Syslog Forwarder. The Agent for Linux is then able to forward these logs to the Log Analytics/Microsoft Sentinel workspace.

Installing this solution will deploy two data connectors,

Syslog via AMA - This data connector helps in ingesting syslog messages into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent here. Microsoft recommends using this Data Connector.
Syslog via Legacy Agent - This data connector helps in ingesting syslog messages into your Log Analytics Workspace using the legacy Log Analytics agent.

**NOTE**: After the solution is installed, Microsoft recommends configuring and leveraging the Syslog via AMA connector for log ingestion. Legacy connector uses the Log Analytics agent, which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported.

Data Connectors
Tables Used
Content Items

Data Connectors

This solution provides 2 data connector(s):

Tables Used

This solution uses 1 table(s):

Table	Used By Connectors	Used By Content
`Syslog`	Syslog via AMA, Syslog via Legacy Agent	Analytics, Hunting, Workbooks

Content Items

This solution includes 18 content item(s):

Content Type	Count
Hunting Queries	9
Analytic Rules	7
Workbooks	2

Analytic Rules

Name	Severity	Tactics	Tables Used
Failed logon attempts in authpriv	Medium	CredentialAccess	`Syslog`
NRT Squid proxy events related to mining pools	Low	CommandAndControl	`Syslog`
SFTP File transfer above threshold	Medium	Exfiltration	`Syslog`
SFTP File transfer folder count above threshold	Medium	Exfiltration	`Syslog`
SSH - Potential Brute Force	Low	CredentialAccess	`Syslog`
Squid proxy events for ToR proxies	Low	CommandAndControl	`Syslog`
Squid proxy events related to mining pools	Low	CommandAndControl	`Syslog`

Hunting Queries

Name	Tactics	Tables Used
Crypto currency miners EXECVE	Persistence, Execution	`Syslog`
Editing Linux scheduled tasks through Crontab	Persistence, Execution	`Syslog`
Linux scheduled task Aggregation	Persistence, Execution	`Syslog`
Rare process running on a Linux host	Execution, Persistence	`Syslog`
SCX Execute RunAs Providers	InitialAccess, Execution	`Syslog`
Squid commonly abused TLDs	CommandAndControl	`Syslog`
Squid data volume timeseries anomalies	CommandAndControl, Exfiltration	`Syslog`
Squid malformed requests	Discovery	`Syslog`
Suspicious crytocurrency mining related threat activity detected	DefenseEvasion	`Syslog`

Workbooks

Name	Tables Used
LinuxMachines	`Syslog`
SyslogConnectorsOverviewWorkbook	-

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.0.7	04-11-2024	Updated the Syslog Data Connector template to latest version
3.0.6	01-08-2024	Updated Analytic rules for entity mappings and parameter for parser function
3.0.5	16-07-2024	Added 2 new Workspace Function Parsers and a new Workbook
3.0.4	27-06-2024	Updated Connectivity criteria query for Data Connector
3.0.3	10-04-2024	Updated Entity Mappings Analytic Rule FailedLogonAttempts_UnknownUser.yaml
3.0.2	21-02-2024	Addition of new Syslog AMA Data Connector
3.0.1	01-02-2024	Hunting Queries Description updated